On an IPv6 network, Internet Protocol Security (IPSec) is used as a network security standard for implementation. IPSec provides security services such as connectionless data integrity, data source authentication, protection against replay attacks, data confidentiality, confidentiality of limited data streams, and access control for the IP and upper-layer protocols. To protect an IP packet, the communication parties on the IPv6 network require a method to protect related information such as the key and algorithm of the communication. All these parameters are stored in an SA. At present, SA negotiation in IPSec is mainly implemented via the Internet Key Exchange Protocol (IKE).
Specifically, the process of setting up an SA via IKE may be divided into two stages. Stage 1: Two parties negotiate to set up a communication channel IKE SA. The IKE SA is only used to protect data during setup of the IPSec SA and is not the expected SA. It is not used to protect normal communication data in the communication after the two parties negotiate the IKE SA. The communication channel is authenticated to provide the confidentiality, data integrity, and data source authentication services for further IKE communications of the two parties. At the same time, the first IPSec SA is set up. The first IPSec SA is the expected SA and is used to protect normal communication data of the two parties. At the first stage, the communication parties require four messages to complete the interaction. At the Second stage: The communication parties use the IKE SA that is set up to replace the IPSec SA. At this stage, the communication parties require two messages to complete the interaction.
During the implementation of the present invention, the inventor finds at least the following problems in the prior art:
The two stages in the SA negotiation process require six messages in total, thus causing the entire SA negotiation process to be complex and time-consuming.